Tuesday, 21 December 2010

Unique Password Generation System

After last weeks hacking of Gawker Media's passwords, we have yet again been warned to use unique passwords on every site. While I appreciate the security reasons for this, there is no way i can remember 75+ unique, 9-digit alpha-numeric-symbol passwords - henceforth referred to as a 'strong password'.

While my current password system wouldn't succumb to the normal guesses for passwords, or probably even a brute force attack, i am certainly guilty of using the same 5 or 6 passwords over most sites. I have been thinking about how to diversify my passwords for a long time and have looked at various options but they all seemed to have problems:

Write Passwords Down - Back in the day (pre-1996) you were always advised never to write your passwords down. Two things have changed since then: 1) People have way more passwords to remember now and 2) The primary threat is remote (via the internet), rather than requiring physical access to your machine. The rationale for writing down passwords is that you get more security from having unique strong passwords, than you would with re-used weak passwords that you can remember. The only downside - and it's a doozy - is that if someone does get physical access to you computer or even just your password list, you are screwed. You also can't access your passwords remotely if you are travelling or away from your desk (unless you take them with you everywhere which would be pretty dumb).

Encrypted File Storage - Building on the above, how do you make it harder for someone to read your written down passwords? ... easy, encrypt the file. Write down all the passwords in a text or excel file, then encrypt the file with TrueCrypt - whatever you do don't use the built-in encryption in MS Office, it's terrible - using a really strong password. Now you only need to remember one password to open the file and get access to all of your other passwords. Alas it only solves the problem of someone getting access to your passwords, but doesn't fix being able to access your passwords from anywhere because you need admin rights to run TrueCrypt (no use for internet cafes).

Encrypted Online Storage - For a long time i thought PassPack was going to be the best option. Your passwords are double encrypted, stored on a website and there are various nifty security (one-time keys) and management (automatic logon) features. This means the passwords are securely encrypted AND available anywhere. I really wanted to use PassPack, but ultimately two things killed it for me: 1) If the site disappears (goes bankrupt, gets sold), so do my passwords and 2) A website containing passwords has a giant target painted on it for hackers and nothing is 100% secure forever.

Encrypted Hardware Storage - So on top of security and portability, it turned out i also want to have ultimate control over my passwords too. It seemed that the easiest way to have the most control would be to use hardware. I remembered i had seen the Mandylion Password Manager on Think Geek, it is a physical token that generates and securely stores your passwords. Two problems though: 1) Inputting site names or usernames to it with only arrow keys looks to be a serious pain and 2) If you lose or break it your passwords are gone. I also looked at things like: 1Password (not sure about security), Roboform (don't trust it) and Iron Key (expensive) but ruled them out.

Repeatable Online Generation - Ultimately i think i am just uncomfortable trusting my clear text passwords to any hardware or software, nothing is secure forever. I came across a website called PwdMkr which allows you to repeatably generate unique random passwords for websites. It checks almost all of my boxes: self-hosted (so quite obscure and controllable), lots of options (character sets, length, salt), the website can be encrypted for backup and best of all the password isn't stored, you just need to remember how to generate it. My only issue is that i can only protect the site with an .htaccess password. Ok so an attacker would have to break my .htaccess password AND work out my system for generating passwords, but still a worry.

So after years of research and thought, i was still stuck doing what i have always done, then a couple of nights ago i had an epiphany, go back to the future with a Book Cipher!

Book Cipher - A book cipher is a classic espionage technique for passing covert messages. In it's simplest form there is a numeric code which refers to a specific word; e.g. 040 15 07 would refer to page 40, line 15, word 7, but there are a number of ways it could be used to generate a password. Maybe just have a code that refers to the page and line, then use the first letters from each word in the sentence for the password. Alternatively you could refer to a page, then some words on that page could be joined together to make a password. The possibilities are endless. Similar to Repeatable Online Generation, the password is never stored, instead you store a key which allows you to generate the password from a specific book. There are a few things to keep in mind: 1) Make sure you know the edition of the book you are using because if you lose the book, a different edition will probably have different page numbers etc. 2) Portability can be achieved either with a small book you can take everywhere with you or by storing an e-book online (make sure your generation process is suitably obscure). For me this brings together a lot of benefits: 1) I just have to remember a process and not even a single password, 2) There is plenty of redundancy built it - multiple copies of books, multiple storage of keys etc. 3) Security through obscurity. There may not be any fancy encryption, but unless you have Bletchly Park or the NSA working on it, a book cipher is a tough code to crack.

In the end there is always a balance between security and ease of use, how far you go to either side is up to you. Really any of the techniques above will leave you better off than the average person and a book cipher is perhaps a little onerous and obscure.

No comments:

Post a Comment